Month: January 2017

Advanced String Functions Filter Bypass With Gadgets Sql Injection

$filter = ['conv', 'code', 'hex', 'ha', 'b', 'x', '_', '`', '\'', '"', '@','into','outfile','load','file', 'date', 'co','ca', 'b', 'g', 'h', 'j', 'k', 'q', 'v', 'x', 'z', 'date', 'make'];

If filters are like that, how can I inject successfully? I will show you some gadgets can bypass the hard filter.

string function filter bypass with gadgets

such as

ascii, bin, char, concat, hex, oct, ord, conv, etc…

you can easily make the string with the following crypto functions.

aes_encrypt, …

[link]mysql crypt functions

But usually most of detectors also filtered underbar since prevent to access *_schema. There are two ways to generate arbitrary characters.

  1. Use dayname function.
  2. Use encrypt function with salt.

The first one is well-known bypass technic. Bypass with date and time functions. The result of now() (timestamp) is integer, so we can subtract and add other integer to make everyday name.

select DAYNAME(now());
-> Thursday

But this way only can make “a, e, d, f, i, h, m, o, n, s, r, u, t, w, y” 15 alphabets. Let’s check out the solution 2.

Or hash functions like md5, sha1, … are only contains hexadecimal characters.. We need more alphabets !!!!

There aren’t any references or cheat sheets of encrypt function.
When you run encrypt function the output is different each time. Since Mysql’s encrypt function is based system’s crypt function. So encrypt auto generates salt. This is why you saw the different output each time.

If you pass the salt parameter, you will get a fixed output result.

ENCRYPT(str[,salt])

Encrypts str using the Unix crypt() system call and returns a binary string. The salt argument must be a string with at least two characters or the result will be NULL. If no salt argument is given, a random value is used.

Note: The ENCRYPT() function is deprecated as of MySQL 5.7.6, will be removed in a future MySQL release, and should no longer be used. Consider using AES_ENCRYPT() instead.

# with no salt
select encrypt(12);
-> 10CkN4GiVzSd2
select encrypt(12);
-> F0HgfxV9ENjfY
select encrypt(12);
-> J0mzyT/ZwRHlc

# with salt
select encrypt(12, 99); # (any types, twocharacter or 2 digit number
-> 99LNryKuWYuKc

Here is very good wargame challenge. Pwn it !!!

Link CodeShellWEB

Here are some interesting bypass cheat sheets.

Link SQLI Cheat Sheets 1(English)

Link SQLI Cheat Sheets 2(Korean)

If u have any questions please contact email or reply the comments.